+1 for the necessary support for out-of-domain Windows clients and NTLMSSP.
Is there a time-table for this?
Thanks,
Dylan.
On 7 May 2015 at 08:48, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Thu, 07 May 2015, box 31978 wrote:
>>
>> Hello Alexander,
>>
>> Thank you very much for your answers!
>>
>>> If Windows client is not a part of the domain, there is no SSO and no
>>> Kerberos. Windows client will attempt using NTLMSSP authentication.
>>> ...
>>> Right now -- yes. You are saying you've following "FreeIPA's Samba
>>> integration guide" which I assume is
>>>
>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>
>> ,
>>>
>>> which only works for Kerberos authentication because NTLMSSP is not
>>> supported by the SSSD.
>>
>>
>> Yes, your assumption is absolutely exact ;-)
>>
>> That's clear now, my thoughts went on this direction too: anyone is
>> handling a new kerberos ticket request because of authentication type.
>>
>>> Not really. The story is more complex than it seems and right now there
>>> is no ready-made solution for out-of-domain Windows clients.
>>
>>
>> Ok, I understand.
>>
>> Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this
>> works fine on Samba3 and 389-DS), but I'm not sure about the
>> configuration.
>> Can file-server's SSSD have Kerberos auth (result of ipa-client-install)
>> and LDAP auth (added settings in sssd.conf) at the same time for the same
>> domain? Will it work together or will I've to choose on of the two?
>
> SSSD can but you need Samba to be aware of these things because Samba
> needs way more than just passwords. FreeIPA uses different LDAP schema
> for the additional attributes compared to what standard Samba PASSDB
> module for LDAP expects so if you enable that one in smb.conf, you'll
> get nothing.
>
> As Christoph pointed in the another email, you may try to enable older
> Samba-compatible scheme but that wouldn't play well with IPA's support
> for SIDs (including on SSSD side) as we are using different attributes
> and you'll be forced to maintain certain aspects manually.
>
> There is hope to get NTLMSSP support implemented but not soon, we have
> bits in place but there is still work to be done.
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project